CYBER ATTACK ON JPMORGAN CHASE: HACKING AS A ‘BUSINESS MODEL’

In a case described as the “largest US bank breach ever”, four men were indicted in early November 2015 on 23 criminal counts, including computer hacking, conspiracy to commit securities fraud and other charges.

Two of the men, Gery Shalon and Ziv Orenstein, are awaiting extradition from Israel, while an American citizen, Joshua Aaron, is believed to be at large in Russia. A fourth man, Anthony Murgio, was charged under a separate indictment for conducting an unlawful bitcoin exchange.

Until now, cyber crime primarily took the form of data theft and distributed denial of service (DDoS) attacks, which are sometimes launched simultaneously with devastating impact on operations and brand reputation. Data hacks, like those launched recently against retail outlets, the federal government, and research institutions, exfiltrate sensitive personal, national and scientific information into the hands of foreign agents or nation states.

The cyber attack that lifted email and other personal information from more than 80 million customers of JP Morgan Chase was only one part of a much larger criminal enterprise.

Described by the United States attorney for the Southern District of New York, Preet Bharara, “It is no longer hacking for a quick pay-out. Rather, it is hacking in support of a diversified criminal conglomerate. It is hacking to locate victims. It is hacking to spy on the competition. It is hacking to maximise profit. In short, it is hacking as a business model.”

Seven financial institutions are among the victims

Dating back as far as 2007, the far-flung criminal enterprise involved 12 separate companies, including seven financial institutions, financial reporting organisations and a market risk firm. According to investigators, the group attacked financial firms through direct hacks, misappropriating user passwords and exploitation of vulnerable network security.